Ransomware Hits City of Atlanta

A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected.

The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused.

Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks.

A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27."

SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier.

Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working.

Sometimes payment can be avoided by recovering data from backups. But this isn't always possible with SamSam. In the Hancock Health SamSam incident earlier this year, the organization decided to pay the ransom "to expedite our return to full operations", despite having backups. In the event, the SamSam attackers had already closed this route. "Several days later," announced CEO Steve Long, "it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

It isn't yet known whether the City of Atlanta attack is definitely a SamSam attack, whether the system was breached prior to file encryption, nor whether backup files have been corrupted. These details should become clear over time. The fact that Hancock Health decided to pay the ransom, and had its systems back up and running within days, may become part of Atlanta's decision on whether to pay or not.

Apart from recovering from backups or paying the ransom, the only other option (assuming that there are no decryptors available from the NoMoreRansom project) is to stop the encryption the moment it starts. Traditional anti-malware perimeter detection will not stop modern malware. That means prevention requires very rapid and early detection.

"Ransomware spreads like wild fire, and is the most time critical of cyber threats," comments Matt Walmsley, EMEA Director at Vectra. "The ability to detect the pre-cursor behaviors of ransomware is the only way to get ahead of the attack. Unfortunately, that's almost impossible to do using traditional manual threat hunting techniques. That's why forward-thinking enterprises are increasingly using an automated approach, using AI-powered threat detection. You need to detect and respond at machine speed."

Timely patching is also vital, especially where the attacker breaches the system prior to encryption. "When you are told to patch months before and witness precursor warnings like WannaCry and NotPetya going by," exhorts Yonathan Klijnsma, threat researcher at RiskIQ, "well, you damn well better patch. If your organization's patch management is so problematic that it takes this long, you have to change it. Events of this potential magnitude and impact require management to respond by elevating maintenance and patching to mission critical status until they are resolved. The ROI is clear, consider the costs and material loss of your company going down for a day, versus shifting priorities to give your engineers more time to manage patches properly. It's not a good time to roll the dice."

Connected cities are becoming increasingly like large corporations. "A city has some hallmark characteristics of a large enterprise," suggests Rapid7's chief data scientist, Bob Rudis: "there are a large number of employees and contractors with a diverse array of operating systems, hardware and data types that all need protection. Beyond financial account information and general personally identifiable information (PII), city-related systems and networks can and do contain court and criminal records, tax records, non-public information on police and other protective services employees, department activities/plans and more. Much of this is extremely sensitive data and would be treasure trove of information, capable of being used in a diverse array of disruptive, targeted attacks against both individuals and entire departments."

What all this means is anti-ransomware preparations require at least three layers of defense: off-site backups; an efficient patch regime; and real-time anomaly detection. Relying on IT staff 'noticing something peculiar' (as happened with the City of Atlanta) is simply not good enough.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.